Getting Ready for a Pen Test: Step 2
In the first blog post of our three-part pen test series, we discussed the five common ways an attacker can gain access to your corporate network that you should address immediately before bringing in a pen tester. The next critical step focuses on asset identification and network segmentation.
During this process, it’s important to take inventory of what systems are on your network and what critical information is being stored on those systems. There are a number of automated tools which can help you keep track of the systems on your network; however, in our experience there is no effective automated way to catalogue and prioritize data. This needs to be done by all of the relevant stakeholders in each of the different business units of the organization. If you don’t understand what you need to protect, how can you properly protect it? As part of this, be sure to develop a hierarchy of the information so you know what your organization considers its “crowned jewels.” What data would be most detrimental to your business if an attacker were to obtain it? Some examples include intellectual property, your clients’ personal information, or your business’ financial data. In a nutshell, you need to define what it is that your company uses to make money and protect those assets.
After you’ve identified what assets and information are actually on your network, it’s time to segment that information to make sure an attacker has limited access if they actually do break through your perimeter. Unfortunately, many organizations have no clear communication separation between endpoints at any of the locations. As pen testers, we like to call this the “castle wall effect.” This means almost any system can be accessed from anywhere else in the environment once the outside perimeter is breached, exposing the soft unsecured underbelly of the internal network. Adjacent systems can be targeted to gain deeper access in the network if controls are not in place to isolate high-risk systems. The result can mean an attacker could easily obtain access to your server environment from the user workstation network which is a high risk target for phishing attacks.
When developing a network segmentation plan, it’s important to understand how your organization does business and who should have access to what information using the principle of least privilege, which gives employees the lowest level of user rights that they can have and still do their jobs. Also, your segmentation plan should isolate the following groups using firewall ACLs at a minimum:
- Corporate resources – AD, Exchange, NAS, etc.
- Endpoints (local and remote)
- IT segment (access to management network)
- Management traffic
When it comes to technical controls, we recommend that following:
- Use outbound egress filtering with deep packet inspection. If the attacker or malware can’t phone home, it can make exfiltration of data extremely difficult.
- Ensure a proper process and the right personnel are in place for escalation when attacks are detected. This is one of the most important things the pen tester will test.
- Understand the business units in your organization and what resources they need to access and use that as a baseline for creating ACL’s and groups within Active Directory. Spend the extra time, money and resources to ensure devices are configured properly.
- Beware of vendors with all in products that claim to fix all your problems. There is no such solution.